<!DOCTYPE html>
<html id="docs" lang="en" class="">
	<head>
	<meta charset="utf-8">
<title>Authenticating with Bootstrap Tokens - Kubernetes</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/png" href="../../../../images/favicon.png">
<link rel="stylesheet" type="text/css" href="../../../../css/base_fonts.css">
<link rel="stylesheet" type="text/css" href="../../../../css/styles.css">
<link rel="stylesheet" type="text/css" href="https://code.jquery.com/ui/1.12.1/themes/smoothness/jquery-ui.css">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.css">
<link rel="stylesheet" type="text/css" href="../../../../css/callouts.css">
<link rel="stylesheet" type="text/css" href="../../../../css/custom-jekyll/tags.css">




<meta name="description" content="Authenticating with Bootstrap Tokens" />
<meta property="og:description" content="Authenticating with Bootstrap Tokens" />

<meta property="og:url" content="https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/" />
<meta property="og:title" content="Authenticating with Bootstrap Tokens - Kubernetes" />

<script
src="https://code.jquery.com/jquery-3.2.1.min.js"
integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
crossorigin="anonymous"></script>
<script
src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js"
integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU="
crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.js"></script>
<script src="../../../../js/script.js"></script>
<script src="../../../../js/custom-jekyll/tags.js"></script>


	</head>
	<body>
		<div id="cellophane" onclick="kub.toggleMenu()"></div>

<header>
    <a href="../../../../index.html" class="logo"></a>

    <div class="nav-buttons" data-auto-burger="primary">
        <ul class="global-nav">
            
            
            <li><a href="../../../home.1">Documentation</a></li>
            
            <li><a href="../../../../blog/index.html">Blog</a></li>
            
            <li><a href="../../../../partners/index.html">Partners</a></li>
            
            <li><a href="../../../../community/index.html">Community</a></li>
            
            <li><a href="../../../../case-studies/index.html">Case Studies</a></li>
            
            
             <li>
                <a href="../../../admin/bootstrap-tokens/index.html#">
                    English <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="../../../../zh/index.html">中文 Chinese</a></li>
                
                    <li><a href="../../../../ko/index.html">한국어 Korean</a></li>
                
                </ul>
            </li>
         
            <li>
                <a href="../../../admin/bootstrap-tokens/index.html#">
                    v1.11 <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="https://kubernetes.io">v1.12</a></li>
                
                    <li><a href="../../../../index.html">v1.11</a></li>
                
                    <li><a href="https://v1-10.docs.kubernetes.io">v1.10</a></li>
                
                    <li><a href="https://v1-9.docs.kubernetes.io">v1.9</a></li>
                
                </ul>
            </li>
        </ul>
        
        <a href="../../../tutorials/kubernetes-basics/index.html" class="button" id="tryKubernetes" data-auto-burger-exclude>Try Kubernetes</a>
        <button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
    </div>

    <nav id="mainNav">
        <main data-auto-burger="primary">
        <div class="nav-box">
            <h3><a href="../../../tutorials/stateless-application/hello-minikube/index.html">Get Started</a></h3>
            <p>Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../home.1">Documentation</a></h3>
            <p>Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even <a href="../../../../editdocs/index.html" data-auto-burger-exclude>help contribute to the docs</a>!</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../../community/index.html">Community</a></h3>
            <p>If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../../blog/index.html">Blog</a></h3>
            <p>Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.</p>
        </div>
        </main>
        <main data-auto-burger="primary">
        <div class="left">
            <h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
            <a href="https://github.com/kubernetes/kubernetes" class="button" data-auto-burger-exclude>View On Github</a>
        </div>

        <div class="right">
            <h5 class="github-invite">Explore the community</h5>
            <div class="social">
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>Twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
        </div>
        <div class="clear" style="clear: both"></div>
        </main>
    </nav>
</header>

		
		
		<section id="hero" class="light-text no-sub">
			















<h1>Reference Documentation</h1>
<h5></h5>


<div id="vendorStrip" class="light-text">
	<ul>
		
		
		<li><a href="../../../home.1">DOCUMENTATION</a></li>
		
		
		<li><a href="../../../setup/index.html">SETUP</a></li>
		
		
		<li><a href="../../../concepts/index.html">CONCEPTS</a></li>
		
		
		<li><a href="../../../tasks/index.html">TASKS</a></li>
		
		
		<li><a href="../../../tutorials/index.html">TUTORIALS</a></li>
		
		
		<li><a href="../../../reference.1" class="YAH">REFERENCE</a></li>
		
	</ul>
	<div id="searchBox">
		<input type="text" id="search" placeholder="Search" onkeydown="if (event.keyCode==13) window.location.replace('/docs/search/?q=' + this.value)" autofocus="autofocus">
	</div>
</div>

		</section>
		
		
<section id="deprecationWarning">
  <main>
    <div class="content deprecation-warning">
      <h3>
        Documentation for Kubernetes v1.11 is no longer actively maintained. The version you are currently viewing is a static snapshot.
        For up-to-date documentation, see the <a href="https://kubernetes.io/docs/home/">latest</a> version.
      </h3>
    </div>
  </main>
</section>


		<section id="encyclopedia">
			
<div id="docsToc">
     <div class="pi-accordion">
    	
        
        
        
        
        
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
                          
                          
                 
             
         
             
         
         
        
        <a class="item" data-title="Reference" href="../../../reference.1"></a>

	
	
		
		
<a class="item" data-title="Standardized Glossary" href="../../glossary/index.html"></a>

		
	
		
		
	<div class="item" data-title="Kubernetes Issues and Security">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Kubernetes Issue Tracker" href="../../issues-security/issues/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes Security and Disclosure Information" href="../../issues-security/security/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Using the Kubernetes API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Kubernetes API Overview" href="../../using-api/api-overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes API Concepts" href="../../using-api/api-concepts/index.html"></a>

		
	
		
		
<a class="item" data-title="Client Libraries" href="../../using-api/client-libraries/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes Deprecation Policy" href="../../deprecation-policy.1"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Accessing the API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Controlling Access to the Kubernetes API" href="../../../admin/accessing-the-api.1"></a>

		
	
		
		
<a class="item" data-title="Authenticating" href="../../../admin/authentication.1"></a>

		
	
		
		
<a class="item" data-title="Authenticating with Bootstrap Tokens" href="../../../admin/bootstrap-tokens/index.html"></a>

		
	
		
		
<a class="item" data-title="Using Admission Controllers" href="../admission-controllers"></a>

		
	
		
		
<a class="item" data-title="Dynamic Admission Control" href="../../../admin/extensible-admission-controllers.md"></a>

		
	
		
		
<a class="item" data-title="Managing Service Accounts" href="../../../admin/service-accounts-admin/index.html"></a>

		
	
		
		
<a class="item" data-title="Authorization Overview" href="../../../admin/authorization/index.html"></a>

		
	
		
		
<a class="item" data-title="Using RBAC Authorization" href="../../../admin/authorization/rbac.1"></a>

		
	
		
		
<a class="item" data-title="Using ABAC Authorization" href="../abac/index.html"></a>

		
	
		
		
<a class="item" data-title="Using Node Authorization" href="../../../admin/authorization/node/index.html"></a>

		
	
		
		
<a class="item" data-title="Webhook Mode" href="../../../admin/authorization/webhook/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="API Reference">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Well-Known Labels, Annotations and Taints" href="../../kubernetes-api/labels-annotations-taints/index.html"></a>

		
	
		
		
<a class="item" data-title="v1.11" href="../../kubernetes-api/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Federation API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="extensions/v1beta1 Model Definitions" href="../../federation/extensions/v1beta1/definitions.1"></a>

		
	
		
		
<a class="item" data-title="extensions/v1beta1 Operations" href="../../federation/extensions/v1beta1/operations/index.html"></a>

		
	
		
		
<a class="item" data-title="v1 Model Definitions" href="../../federation/v1/definitions.1"></a>

		
	
		
		
<a class="item" data-title="v1 Operations" href="../../federation/v1/operations/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Setup tools reference">
		<div class="container">
		
		
	
	
		
		
	<div class="item" data-title="Kubeadm">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Overview of kubeadm" href="../../generated/kubeadm/index.html"></a>

		
	
		
		
<a class="item" data-title="kubeadm init" href="../../setup-tools/kubeadm/kubeadm-init.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm join" href="../../setup-tools/kubeadm/kubeadm-join.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm upgrade" href="../../setup-tools/kubeadm/kubeadm-upgrade.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm config" href="../../setup-tools/kubeadm/kubeadm-config.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm reset" href="../../setup-tools/kubeadm/kubeadm-reset.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm token" href="../../setup-tools/kubeadm/kubeadm-token.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm version" href="../../setup-tools/kubeadm/kubeadm-version.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm alpha" href="../../setup-tools/kubeadm/kubeadm-alpha.1"></a>

		
	
		
		
<a class="item" data-title="Implementation details" href="../../setup-tools/kubeadm/implementation-details/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="kubefed">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="kubefed" href="../../../admin/kubefed/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed options" href="../../setup-tools/kubefed/kubefed-options/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed init" href="../../../admin/kubefed_init/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed join" href="../../setup-tools/kubefed/kubefed-join/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed unjoin" href="../../../admin/kubefed_unjoin/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed version" href="../../setup-tools/kubefed/kubefed-version/index.html"></a>

		
	

		</div>
	</div>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Command line tools reference">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Feature Gates" href="../../command-line-tools-reference/feature-gates/index.html"></a>

		
	
		
		
<a class="item" data-title="federation-apiserver" href="../../../admin/federation-apiserver/index.html"></a>

		
	
		
		
<a class="item" data-title="federation-controller-manager" href="../../../admin/federation-controller-manager/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubelet authentication/authorization" href="../../../admin/kubelet-authentication-authorization.1"></a>

		
	
		
		
<a class="item" data-title="TLS bootstrapping" href="../../command-line-tools-reference/kubelet-tls-bootstrapping/index.html"></a>

		
	
		
		
<a class="item" data-title="cloud-controller-manager" href="../../command-line-tools-reference/cloud-controller-manager/index.html"></a>

		
	
		
		
<a class="item" data-title="kube-apiserver" href="../../../admin/kube-apiserver.1"></a>

		
	
		
		
<a class="item" data-title="kube-controller-manager" href="../../generated/kube-controller-manager/index.html"></a>

		
	
		
		
<a class="item" data-title="kube-proxy" href="../../../admin/kube-proxy/index.html"></a>

		
	
		
		
<a class="item" data-title="kube-scheduler" href="../../../admin/kube-scheduler/index.html"></a>

		
	
		
		
<a class="item" data-title="kubelet" href="../../../admin/kubelet.1"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="kubectl CLI">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="JSONPath Support" href="../../kubectl/jsonpath.1"></a>

		
	
		
		
<a class="item" data-title="Overview of kubectl" href="../../../user-guide/kubectl-overview.1"></a>

		
	
		
		
<a class="item" data-title="kubectl" href="../../../user-guide/kubectl/index.html"></a>

		
	
		
		
<a class="item" data-title="kubectl Cheat Sheet" href="../../../user-guide/kubectl-cheatsheet"></a>

		
	
		
		
<a class="item" data-title="kubectl Commands" href="../../kubectl/kubectl-cmds/index.html"></a>

		
	
		
		
<a class="item" data-title="kubectl Usage Conventions" href="../../kubectl/conventions/index.html"></a>

		
	
		
		
<a class="item" data-title="kubectl for Docker Users" href="../../kubectl/docker-cli-to-kubectl/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
<a class="item" data-title="Tools" href="../../tools/index.html"></a>

		
	






     </div> 
    <button class="push-menu-close-button" onclick="kub.toggleToc()"></button>
</div> 

			<div id="docsContent">
				
<p><a href="../../../editdocs#docs/reference/access-authn-authz/bootstrap-tokens.md" id="editPageButton">Edit This Page</a></p>

<h1>Authenticating with Bootstrap Tokens</h1>



<p>Bootstrap tokens are a simple bearer token that is meant to be used when
creating new clusters or joining new nodes to an existing cluster.  It was built
to support <a href="../../generated/kubeadm/index.html">kubeadm</a>, but can be used in other contexts
for users that wish to start clusters without <code>kubeadm</code>. It is also built to
work, via RBAC policy, with the <a href="../../command-line-tools-reference/kubelet-tls-bootstrapping/index.html">Kubelet TLS
Bootstrapping</a> system.</p>









<ul id="markdown-toc">










<li><a href="../../../admin/bootstrap-tokens/index.html#bootstrap-tokens-overview">Bootstrap Tokens Overview</a></li>




<li><a href="../../../admin/bootstrap-tokens/index.html#token-format">Token Format</a></li>




<li><a href="../../../admin/bootstrap-tokens/index.html#enabling-bootstrap-token-authentication">Enabling Bootstrap Token Authentication</a></li>




<li><a href="../../../admin/bootstrap-tokens/index.html#bootstrap-token-secret-format">Bootstrap Token Secret Format</a></li>




<li><a href="../../../admin/bootstrap-tokens/index.html#token-management-with-kubeadm">Token Management with kubeadm</a></li>




<li><a href="../../../admin/bootstrap-tokens/index.html#configmap-signing">ConfigMap Signing</a></li>



















</ul>


<h2 id="bootstrap-tokens-overview">Bootstrap Tokens Overview</h2>

<p>Bootstrap Tokens are defined with a specific type
(<code>bootstrap.kubernetes.io/token</code>) of secrets that lives in the <code>kube-system</code>
namespace.  These Secrets are then read by the Bootstrap Authenticator in the
API Server.  Expired tokens are removed with the TokenCleaner controller in the
Controller Manager.  The tokens are also used to create a signature for a
specific ConfigMap used in a &ldquo;discovery&rdquo; process through a BootstrapSigner
controller.</p>

<div style="margin-top: 10px; margin-bottom: 10px;">



<b>FEATURE STATE:</b> <code>Kubernetes v1.11</code>




    
    
    
    
    
<a href="../../../admin/bootstrap-tokens/index.html#" id="feature-state-dialog-link" class="ui-state-default ui-corner-all"><span class="ui-icon ui-icon-newwin"></span>beta</a>
<div id="feature-state-dialog" class="ui-dialog-content" title="beta">
This feature is currently in a <em>beta</em> state, meaning:</p>

<ul>
<li>The version names contain beta (e.g. v2beta3).</li>
<li>Code is well tested. Enabling the feature is considered safe. Enabled by default.</li>
<li>Support for the overall feature will not be dropped, though details may change.</li>
<li>The schema and/or semantics of objects may change in incompatible ways in a subsequent beta or stable release. When this happens, we will provide instructions for migrating to the next version. This may require deleting, editing, and re-creating API objects. The editing process may require some thought. This may require downtime for applications that rely on the feature.</li>
<li>Recommended for only non-business-critical uses because of potential for incompatible changes in subsequent releases. If you have multiple clusters that can be upgraded independently, you may be able to relax this restriction.</li>
<li><strong>Please do try our beta features and give feedback on them! After they exit beta, it may not be practical for us to make more changes.</strong></li>
</ul>

</div>
<script>
$(function(){
    
    $( "#feature-state-dialog" ).dialog({
        autoOpen: false,
        width: "600",
        buttons: [
            {
                text: "Ok",
                click: function() {
                    $( this ).dialog( "close" );
                }
            }
        ]
    });

    
    $( "#feature-state-dialog-link" ).click(function( event ) {
        $( "#feature-state-dialog" ).dialog( "open" );
        event.preventDefault();
    });

});
</script>

    

</div>

<h2 id="token-format">Token Format</h2>

<p>Bootstrap Tokens take the form of <code>abcdef.0123456789abcdef</code>.  More formally,
they must match the regular expression <code>[a-z0-9]{6}\.[a-z0-9]{16}</code>.</p>

<p>The first part of the token is the &ldquo;Token ID&rdquo; and is considered public
information.  It is used when referring to a token without leaking the secret
part used for authentication. The second part is the &ldquo;Token Secret&rdquo; and should
only be shared with trusted parties.</p>

<h2 id="enabling-bootstrap-token-authentication">Enabling Bootstrap Token Authentication</h2>

<p>The Bootstrap Token authenticator can be enabled using the following flag on the
API server:</p>

<pre><code>--enable-bootstrap-token-auth
</code></pre>

<p>When enabled, bootstrapping tokens can be used as bearer token credentials to
authenticate requests against the API server.</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-http" data-lang="http"><span style="">Authorization: Bearer 07401b.f395accd246ae52d</span></code></pre></div>
<p>Tokens authenticate as the username <code>system:bootstrap:&lt;token id&gt;</code> and are members
of the group <code>system:bootstrappers</code>.  Additional groups may be specified in the
token&rsquo;s Secret.</p>

<p>Expired tokens can be deleted automatically by enabling the <code>tokencleaner</code>
controller on the controller manager.</p>

<pre><code>--controllers=*,tokencleaner
</code></pre>

<h2 id="bootstrap-token-secret-format">Bootstrap Token Secret Format</h2>

<p>Each valid token is backed by a secret in the <code>kube-system</code> namespace.  You can
find the full design doc
<a href="https://github.com/kubernetes/community/blob/v1.11.3/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md" target="_blank">here</a>.</p>

<p>Here is what the secret looks like.</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">apiVersion:<span style="color:#bbb"> </span>v1<span style="color:#bbb">
</span><span style="color:#bbb"></span>kind:<span style="color:#bbb"> </span>Secret<span style="color:#bbb">
</span><span style="color:#bbb"></span>metadata:<span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># Name MUST be of form &#34;bootstrap-token-&lt;token id&gt;&#34;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>bootstrap-token-07401b<span style="color:#bbb">
</span><span style="color:#bbb">  </span>namespace:<span style="color:#bbb"> </span>kube-system<span style="color:#bbb">
</span><span style="color:#bbb">
</span><span style="color:#bbb"></span><span style="color:#080;font-style:italic"># Type MUST be &#39;bootstrap.kubernetes.io/token&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb"></span>type:<span style="color:#bbb"> </span>bootstrap.kubernetes.io/token<span style="color:#bbb">
</span><span style="color:#bbb"></span>stringData:<span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># Human readable description. Optional.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>description:<span style="color:#bbb"> </span><span style="color:#b44">&#34;The default bootstrap token generated by &#39;kubeadm init&#39;.&#34;</span><span style="color:#bbb">
</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># Token ID and secret. Required.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>token-id:<span style="color:#bbb"> </span>07401b<span style="color:#bbb">
</span><span style="color:#bbb">  </span>token-secret:<span style="color:#bbb"> </span>f395accd246ae52d<span style="color:#bbb">
</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># Expiration. Optional.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>expiration:<span style="color:#bbb"> </span>2017-03-10T03:22:11Z<span style="color:#bbb">
</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># Allowed usages.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>usage-bootstrap-authentication:<span style="color:#bbb"> </span><span style="color:#b44">&#34;true&#34;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>usage-bootstrap-signing:<span style="color:#bbb"> </span><span style="color:#b44">&#34;true&#34;</span><span style="color:#bbb">
</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># Extra groups to authenticate the token as. Must start with &#34;system:bootstrappers:&#34;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>auth-extra-groups:<span style="color:#bbb"> </span>system:bootstrappers:worker,system:bootstrappers:ingress</code></pre></div>
<p>The type of the secret must be <code>bootstrap.kubernetes.io/token</code> and the name must
be <code>bootstrap-token-&lt;token id&gt;</code>.  It must also exist in the <code>kube-system</code>
namespace.</p>

<p>The <code>usage-bootstrap-*</code> members indicate what this secret is intended to be used
for.  A value must be set to <code>true</code> to be enabled.</p>

<ul>
<li><code>usage-bootstrap-authentication</code> indicates that the token can be used to
authenticate to the API server as a bearer token.</li>
<li><code>usage-bootstrap-signing</code> indicates that the token may be used to sign the
<code>cluster-info</code> ConfigMap as described below.</li>
</ul>

<p>The <code>expiration</code> field controls the expiry of the token.  Expired tokens are
rejected when used for authentication and ignored during ConfigMap signing.
The expiry value is encoded as an absolute UTC time using RFC3339.  Enable the
<code>tokencleaner</code> controller to automatically delete expired tokens.</p>

<h2 id="token-management-with-kubeadm">Token Management with kubeadm</h2>

<p>You can use the <code>kubeadm</code> tool to manage tokens on a running cluster. See the
<a href="../../setup-tools/kubeadm/kubeadm-token.1">kubeadm token docs</a> for details.</p>

<h2 id="configmap-signing">ConfigMap Signing</h2>

<p>In addition to authentication, the tokens can be used to sign a ConfigMap.  This
is used early in a cluster bootstrap process before the client trusts the API
server.  The signed ConfigMap can be authenticated by the shared token.</p>

<p>Enable ConfigMap signing by enabling the <code>bootstrapsigner</code> controller on the
Controller Manager.</p>

<pre><code>--controllers=*,bootstrapsigner
</code></pre>

<p>The ConfigMap that is signed is <code>cluster-info</code> in the <code>kube-public</code> namespace.
The typical flow is that a client reads this ConfigMap while unauthenticated and
ignoring TLS errors.  It then validates the payload of the ConfigMap by looking
at a signature embedded in the ConfigMap.</p>

<p>The ConfigMap may look like this:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">apiVersion:<span style="color:#bbb"> </span>v1<span style="color:#bbb">
</span><span style="color:#bbb"></span>kind:<span style="color:#bbb"> </span>ConfigMap<span style="color:#bbb">
</span><span style="color:#bbb"></span>metadata:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>cluster-info<span style="color:#bbb">
</span><span style="color:#bbb">  </span>namespace:<span style="color:#bbb"> </span>kube-public<span style="color:#bbb">
</span><span style="color:#bbb"></span>data:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>jws-kubeconfig-07401b:<span style="color:#bbb"> </span>eyJhbGciOiJIUzI1NiIsImtpZCI6IjA3NDAxYiJ9..tYEfbo6zDNo40MQE07aZcQX2m3EB2rO3NuXtxVMYm9U<span style="color:#bbb">
</span><span style="color:#bbb">  </span>kubeconfig:<span style="color:#bbb"> </span><span style="color:#b44;font-style:italic">|
</span><span style="color:#b44;font-style:italic">    apiVersion: v1
</span><span style="color:#b44;font-style:italic">    clusters:
</span><span style="color:#b44;font-style:italic">    - cluster:
</span><span style="color:#b44;font-style:italic">        certificate-authority-data: &lt;really long certificate data&gt;
</span><span style="color:#b44;font-style:italic">        server: https://10.138.0.2:6443
</span><span style="color:#b44;font-style:italic">      name: &#34;&#34;
</span><span style="color:#b44;font-style:italic">    contexts: []
</span><span style="color:#b44;font-style:italic">    current-context: &#34;&#34;
</span><span style="color:#b44;font-style:italic">    kind: Config
</span><span style="color:#b44;font-style:italic">    preferences: {}
</span><span style="color:#b44;font-style:italic">    users: []</span></code></pre></div>
<p>The <code>kubeconfig</code> member of the ConfigMap is a config file with just the cluster
information filled out.  The key thing being communicated here is the
<code>certificate-authority-data</code>.  This may be expanded in the future.</p>

<p>The signature is a JWS signature using the &ldquo;detached&rdquo; mode.  To validate the
signature, the user should encode the <code>kubeconfig</code> payload according to JWS
rules (base64 encoded while discarding any trailing <code>=</code>).  That encoded payload
is then used to form a whole JWS by inserting it between the 2 dots.  You can
verify the JWS using the <code>HS256</code> scheme (HMAC-SHA256) with the full token (e.g.
<code>07401b.f395accd246ae52d</code>) as the shared secret.  Users <em>must</em> verify that HS256
is used.</p>

<blockquote class="warning">
  <div><strong>Warning:</strong> Any party with a bootstrapping token can create a valid signature for that
token. When using ConfigMap signing it&rsquo;s discouraged to share the same token with
many clients, since a compromised client can potentially man-in-the middle another
client relying on the signature to bootstrap TLS trust.</div>
</blockquote>

<p>Consult the <a href="../../generated/kubeadm/index.html#security-model">kubeadm security model</a>
section for more information.</p>














				<div class="issue-button-container">
					<p><a href="../../../admin/bootstrap-tokens/index.html"><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/reference/access-authn-authz/bootstrap-tokens.md?pixel" alt="Analytics" /></a></p>
					
					
					<script type="text/javascript">
					PDRTJS_settings_8345992 = {
					"id" : "8345992",
					"unique_id" : "\/docs\/reference\/access-authn-authz\/bootstrap-tokens\/",
					"title" : "Authenticating with Bootstrap Tokens",
					"permalink" : "https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/bootstrap-tokens\/"
					};
					(function(d,c,j){if(!document.getElementById(j)){var pd=d.createElement(c),s;pd.id=j;pd.src=('https:'==document.location.protocol)?'https://polldaddy.com/js/rating/rating.js':'http://i0.poll.fm/js/rating/rating.js';s=document.getElementsByTagName(c)[0];s.parentNode.insertBefore(pd,s);}}(document,'script','pd-rating-js'));
					</script>
					<a href="../../../admin/bootstrap-tokens/index.html" onclick="window.open('https://github.com/kubernetes/website/issues/new?title=Issue%20with%20' +
					'k8s.io'+window.location.pathname)" class="button issue">Create an Issue</a>
					
					
					
					<a href="../../../editdocs#docs/reference/access-authn-authz/bootstrap-tokens.md" class="button issue">Edit this Page</a>
					
				</div>
			</div>
		</section>
		<footer>
    <main class="light-text">
        <nav>
            
            
            
            <a href="../../../home.1">Documentation</a>
            
            <a href="../../../../blog/index.html">Blog</a>
            
            <a href="../../../../partners/index.html">Partners</a>
            
            <a href="../../../../community/index.html">Community</a>
            
            <a href="../../../../case-studies/index.html">Case Studies</a>
            
        </nav>
        <div class="social">
            <div>
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
            </div>
            <div>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
            <div>
                <a href="../../../getting-started-guides/index.html" class="button">Get Kubernetes</a>
                <a href="https://git.k8s.io/community/contributors/guide" class="button">Contribute</a>
            </div>
        </div>
        <div id="miceType" class="center">
            &copy; 2018 The Kubernetes Authors | Documentation Distributed under <a href="https://git.k8s.io/website/LICENSE" class="light-text">CC BY 4.0</a>
        </div>
        <div id="miceType" class="center">
            Copyright &copy; 2018 The Linux Foundation&reg;. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage" class="light-text">Trademark Usage page</a>
        </div>
    </main>
</footer>

		<button class="flyout-button" onclick="kub.toggleToc()"></button>

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-36037335-10', 'auto');
ga('send', 'pageview');


(function () {
    window.addEventListener('DOMContentLoaded', init)

        
        function init() {
            window.removeEventListener('DOMContentLoaded', init)
                hideNav()
        }

    function hideNav(toc){
        if (!toc) toc = document.querySelector('#docsToc')
        if (!toc) return
            var container = toc.querySelector('.container')

                
                if (container) {
                    if (container.childElementCount === 0 || toc.querySelectorAll('a.item').length === 1) {
                        toc.style.display = 'none'
                            document.getElementById('docsContent').style.width = '100%'
                    }
                } else {
                    requestAnimationFrame(function () {
                        hideNav(toc)
                    })
                }
    }
})();
</script>



	</body>
</html>